Hi, I have been trying to secure my SOAP webservices with Apache Shiro but I am stuck: I managed to either restrict everything or nothing, but what I want is to have everything secured except for access to the wsdl which should be open to unrestricted access. /SoapService?wsdl should be open to anybody without requiring authentication, while everything else should be restricted to authenticated users Here is what I tried and did not work: /SoapService?wsdl = noSessionCreation, ssl[8443], anon /SoapService/** = noSessionCreation, ssl[8443], authcBasic
or /SoapService\?wsdl = noSessionCreation, ssl[8443], anon or /SoapService\\?wsdl = noSessionCreation, ssl[8443], anon or /SoapService\\\?wsdl = noSessionCreation, ssl[8443], anon or /SoapService\\\\?wsdl = noSessionCreation, ssl[8443], anon or **wsdl = noSessionCreation, ssl[8443], anon or /*wsdl = noSessionCreation, ssl[8443], anon or /SoapService*/ = noSessionCreation, ssl[8443], anon or /SoapService** = noSessionCreation, ssl[8443], authcBasic And lots of other combinations which I do not quite remember. Trouble is: The documentation states Apache Shiro uses Ant path expressions for the [urls] section. But Ant itself does a horrific job at explaining how its path expressions work, i. e. they do not explain how they match a literal '?' but leave us to guessing. Has anybody managed to secure his / her webservice through Shiro but leave the wsdl unrestricted and would kindly care to share? -- View this message in context: http://shiro-user.582556.n2.nabble.com/Securing-a-SOAP-webservice-but-leaving-wsdl-open-to-anonymous-tp7580446.html Sent from the Shiro User mailing list archive at Nabble.com.
